From 08e0f82c4a60e88a8967536afe4d997f8051be81 Mon Sep 17 00:00:00 2001 From: "deanm@chromium.org" Date: Thu, 19 Mar 2009 11:53:30 +0000 Subject: Fix traceline's system call patching on recent versions of ntdll.dll. Because KiFastSystemCall is so short (4 bytes), we need to use the preceeding alignment for a 5 byte jump. The compiler is generating more complicated alignments these days. Hardcode another case. Additionally switch to using the XP system call tables by default. Review URL: http://codereview.chromium.org/50006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12088 0039d316-1c4b-4281-b951-d872f2087c98 --- tools/traceline/traceline/main.cc | 11 +++++++---- tools/traceline/traceline/syscall_map.h | 8 ++++++-- 2 files changed, 13 insertions(+), 6 deletions(-) (limited to 'tools/traceline') diff --git a/tools/traceline/traceline/main.cc b/tools/traceline/traceline/main.cc index f149853..997a428 100755 --- a/tools/traceline/traceline/main.cc +++ b/tools/traceline/traceline/main.cc @@ -199,8 +199,14 @@ class Playground { func_addr - 5, GetLastError()); } + // TODO(deanm): It seems in more recent updates the compiler is generating + // complicated sequences for padding / alignment. For example: + // 00000000 8DA42400000000 lea esp,[esp+0x0] + // 00000007 8D4900 lea ecx,[ecx+0x0] + // is used for a 16 byte alignment. We need a better way of handling this. if (memcmp(buf, "\x90\x90\x90\x90\x90", 5) == 0 || - memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0) { + memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0 || + memcmp(buf, "\x00\x00\x8D\x49\x00", 5) == 0) { unsigned int instr_bytes = 0; // We might have a hotpatch no-op of mov edi, edi "\x8b\xff". It is a @@ -994,10 +1000,7 @@ class Playground { PatchThreadExit(); PatchSetThreadName(); -#if 0 - // FIXME PatchSyscall(); -#endif PatchApcDispatcher(); diff --git a/tools/traceline/traceline/syscall_map.h b/tools/traceline/traceline/syscall_map.h index 18f12db..30a2348 100755 --- a/tools/traceline/traceline/syscall_map.h +++ b/tools/traceline/traceline/syscall_map.h @@ -15,9 +15,13 @@ #include +// TODO(deanm): Right now these tables are manually extracted and hardcoded +// here. It would be great (but possibly difficult) to do it on startup. We +// should at least checksum the DLLs to make sure they match. + std::map CreateSyscallMap() { std::map table; -if (0) { +if (1) { // XP table. table[0] = "ntdll.dll!NtAcceptConnectPort"; table[1] = "ntdll.dll!NtAccessCheck"; table[2] = "ntdll.dll!ZwAccessCheckAndAuditAlarm"; @@ -954,7 +958,7 @@ if (0) { table[4760] = "gdi32.dll!NtGdiBRUSHOBJ_DeleteRbrush"; table[4761] = "gdi32.dll!NtGdiUMPDEngFreeUserMem"; table[4762] = "gdi32.dll!NtGdiDrawStream"; -} else { +} else { // Vista table. table[4272] = "gdi32.dll!NtGdiGetDeviceCaps"; table[4220] = "gdi32.dll!NtGdiDeleteObjectApp"; table[4249] = "gdi32.dll!NtGdiFlush"; -- cgit v1.1